39,881
edits
(Updating to match new version of source page) |
(Updating to match new version of source page) Tags: Mobile edit Mobile web edit |
||
Line 106: | Line 106: | ||
drwxrS--- 3 someuser def-someuser 4096 Oct 13 19:39 dirTest | drwxrS--- 3 someuser def-someuser 4096 Oct 13 19:39 dirTest | ||
</source> | </source> | ||
== Default filesystem permissions == | |||
{{Draft}} | |||
Default filesystem permissions are defined by something called the [https://en.wikipedia.org/wiki/Umask <code>umask</code>]. There is a default value that is defined on any Linux system. To display the current value in your session, you can run the command | |||
{{Command|umask -S}} | |||
For example, on Graham, you would get | |||
{{Command|prompt=[user@gra-login1]$|umask -S | |||
|result=u=rwx,g=rx,o=}} | |||
This means that, by default, new files that you create can be read, written and executed by yourself, they can be read and executed by members of the group of the file, and they cannot be accessed by other people. '''The <code>umask</code> only applies to new files. Changing the <code>umask</code> does not change the access permissions of existing files.''' | |||
There may be reasons to define default permissions more permissive (for example, to allow other people to read and execute files), or more restrictive (not allowing your group to read or execute files). Setting your own <code>umask</code> can be done either in a session, or in your <code>.bashrc</code> file, by calling the command | |||
{{Command|umask <value>}} | |||
where the <code><value></code> can take a number of octal values. Below is a table of useful options, depending on your use case : | |||
{| class="wikitable" | |||
|- | |||
! <code>umask</code> value !! <code>umask</code> meaning !! Human-readable explanation | |||
|- | |||
| 077 || u=rwx,g=,o= || Files are readable, writable and executable by the owner only | |||
|- | |||
| 027 || u=rwx,g=rx,o= || Files are readable and executable by the owner and the group, but writable only by the owner | |||
|- | |||
| 007 || u=rwx,g=rwx,o= || Files are readable, writable and executable by the owner and the group | |||
|- | |||
| 022 || u=rwx,g=rx,o=rx || Files are readable and executable by everyone, but writable only by the owner | |||
|- | |||
| 002 || u=rwx,g=rwx,o=rx || Files are readable and executable by everyone, but writable only by the owner and the group | |||
|} | |||
The umask is not the only thing that determines who can access a file. | |||
* A user trying to access a file must have execute permission on all directories in the path to the file. For example, a file might have <code>o=rx</code> permissions but an arbitrary user could not read or execute it if the parent directory does not also have <code>o=x</code> permission. | |||
* The user trying to access a file based on its group permissions must be a member of the file's group. | |||
* You can explicitly change the permissions on a file or directory after it is created, using <code>chmod</code>. | |||
* Access Control Lists (ACLs) also determine who can access a file. | |||
=== Change of the default <code>umask</code> on Cedar, Béluga and Niagara === | |||
In the summer 2019, we discovered that the default <code>umask</code> was not the same on all Compute Canada servers. In the fall of 2019, we will be changing the default <code>umask</code> on these three servers to match the one from Graham. The default <code>umask</code> will change as follows: | |||
{| class="wikitable" | |||
|- | |||
! Cluster !! <code>umask</code> before the change !! <code>umask</code> after the change | |||
|- | |||
| Béluga || 002 || 027 | |||
|- | |||
| Cedar || 002 || 027 | |||
|- | |||
| Niagara || 022 || 027 | |||
|- | |||
|} | |||
This will mean that more restrictive permissions will be enforced on newly created files. If you need more permissive permissions for your workflow, you can change your default <code>umask</code> in your <code>.bashrc</code>. Our general advise is however to keep the default permissions. | |||
Note that this change does ''not'' mean that your files have been inappropriately exposed in the past. Restrictive access permissions have been set on your home, project, and scratch directories since the beginning. Unless the permissions were changed to give ''execute'' permission on one of these folders to others, your files still cannot be accessed by other people. | |||
=== Changing the permissions of existing files === | |||
If you want to change the permissions of existing files to match the new default permissions, you can use the <code>chmod</code> command as follow: | |||
{{Command|chmod g-w,o-rx <file>}} | |||
or, if you want to do it for a whole directory, you can run | |||
{{Command|chmod -R g-w,o-rx <directory>}} | |||
== Listes de contrôle d'accès == | == Listes de contrôle d'accès == |